icedid | 85270b779afaf43f2cae16891abb9c549bb0726a488ecceb268719dfe8d298af

Analysis

Target

documents.lnk
Size

2KB
MD5

c47da7e1fb88cc6dbfaba6c3d2fd2ad2
SHA1

026b447f94dca2a3959311bb2459f874e780d6a3
SHA256

db435a3dd2d860a1dcafad8712f0a233ad0ae9cb7f9277d20aed04b39e27a829
SHA512

695abaaf67b305fdebfc68d892af5e9456334c3926f322d9de5e39ed3294e5498e9a764615f704fa96253862ddef4e415c230fc29fa0e073d9b8c16c6264aa28

Score

10^/10

Family

icedid

Campaign

3416991016

bredofenction.com

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

2 1244 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1244 rundll32.exe
1244 rundll32.exe

flow	pid	process
2	1244	rundll32.exe

pid	process
1244	rundll32.exe
1244	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 784 wrote to memory of 1244	784	cmd.exe	rundll32.exe
PID 784 wrote to memory of 1244	784	cmd.exe	rundll32.exe
PID 784 wrote to memory of 1244	784	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\documents.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:784

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/784-54-0x000007FEFC061000-0x000007FEFC063000-memory.dmp

Filesize
8KB

Download
memory/1244-88-0x0000000000000000-mapping.dmp

Download
memory/1244-92-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download